diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2023-12-13 02:03:36 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2023-12-13 02:03:36 +0300 |
commit | cffe7caa43575aead057d8779827bada786f84b6 (patch) | |
tree | 0782bf1cd66a7753caabafb10ab3feb15a5c1d2f /app/services | |
parent | 734bfe3a2e8b86c3e049f6f13d380b3d30e4e359 (diff) |
Add latest changes from gitlab-org/security/gitlab@16-6-stable-ee
Diffstat (limited to 'app/services')
-rw-r--r-- | app/services/personal_access_tokens/rotate_service.rb | 40 | ||||
-rw-r--r-- | app/services/project_access_tokens/rotate_service.rb | 58 |
2 files changed, 12 insertions, 86 deletions
diff --git a/app/services/personal_access_tokens/rotate_service.rb b/app/services/personal_access_tokens/rotate_service.rb index 13144a04c11..32710629caf 100644 --- a/app/services/personal_access_tokens/rotate_service.rb +++ b/app/services/personal_access_tokens/rotate_service.rb @@ -10,18 +10,26 @@ module PersonalAccessTokens end def execute(params = {}) - return error_response(_('token already revoked')) if token.revoked? + return ServiceResponse.error(message: _('token already revoked')) if token.revoked? response = ServiceResponse.success PersonalAccessToken.transaction do unless token.revoke! - response = error_response(_('failed to revoke token')) + response = ServiceResponse.error(message: _('failed to revoke token')) raise ActiveRecord::Rollback end - response = create_access_token(params) - raise ActiveRecord::Rollback unless response.success? + target_user = token.user + new_token = target_user.personal_access_tokens.create(create_token_params(token, params)) + + if new_token.persisted? + response = ServiceResponse.success(payload: { personal_access_token: new_token }) + else + response = ServiceResponse.error(message: new_token.errors.full_messages.to_sentence) + + raise ActiveRecord::Rollback + end end response @@ -39,29 +47,5 @@ module PersonalAccessTokens scopes: token.scopes, expires_at: expires_at } end - - def create_access_token(params) - target_user = token.user - - new_token = target_user.personal_access_tokens.create(create_token_params(token, params)) - - return success_response(new_token) if new_token.persisted? - - error_response(new_token.errors.full_messages.to_sentence) - end - - def expires_at(params) - return params[:expires_at] if params[:expires_at] - - params[:expires_at] || EXPIRATION_PERIOD.from_now.to_date - end - - def success_response(new_token) - ServiceResponse.success(payload: { personal_access_token: new_token }) - end - - def error_response(message) - ServiceResponse.error(message: message) - end end end diff --git a/app/services/project_access_tokens/rotate_service.rb b/app/services/project_access_tokens/rotate_service.rb deleted file mode 100644 index 63d8d2a82cc..00000000000 --- a/app/services/project_access_tokens/rotate_service.rb +++ /dev/null @@ -1,58 +0,0 @@ -# frozen_string_literal: true - -module ProjectAccessTokens - class RotateService < ::PersonalAccessTokens::RotateService - extend ::Gitlab::Utils::Override - - def initialize(current_user, token, resource = nil) - @current_user = current_user - @token = token - @project = resource - end - - def execute(params = {}) - super - end - - attr_reader :project - - private - - override :create_access_token - def create_access_token(params) - target_user = token.user - - unless valid_access_level? - return error_response( - _("Not eligible to rotate token with access level higher than the user") - ) - end - - new_token = target_user.personal_access_tokens.create(create_token_params(token, params)) - - if new_token.persisted? - update_bot_membership(target_user, new_token.expires_at) - - return success_response(new_token) - end - - error_response(new_token.errors.full_messages.to_sentence) - end - - def update_bot_membership(target_user, expires_at) - target_user.members.update(expires_at: expires_at) - end - - def valid_access_level? - return true if current_user.can_admin_all_resources? - return false unless current_user.can?(:manage_resource_access_tokens, project) - - token_access_level = project.team.max_member_access(token.user.id).to_i - current_user_access_level = project.team.max_member_access(current_user.id).to_i - - return true if token_access_level.to_i <= current_user_access_level - - false - end - end -end |